From 55c5b3696fb843f69b511c0bd3184a50ed486b7f Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Wed, 3 Jun 2026 09:18:46 -0400 Subject: [PATCH 01/18] [SEC-6038] codeql workflow fix --- .github/workflows/codeql.yml | 57 +++++++++++++----------------------- 1 file changed, 21 insertions(+), 36 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 152908530..ab48ad828 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,14 +1,3 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# name: "CodeQL Advanced" on: @@ -16,11 +5,24 @@ on: branches: [ "master" ] pull_request: branches: [ "master" ] + schedule: + - cron: '0 0 * * 1' # Runs every Monday at midnight, this is to ensure that there is at least 1 scan every 7 days. + + workflow_dispatch: + inputs: + pr_id: + description: 'Pull Request ID' + required: true + type: string + +concurrency: + group: codeql-${{ github.ref }} + cancel-in-progress: true jobs: Analyze_Ruby_JSandTS: name: Analyze (${{ matrix.language }}) - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + runs-on: gha-runner-no-perms permissions: # required for all workflows security-events: write @@ -46,21 +48,12 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs queries: ${{ matrix.language && 'security-extended, security-and-quality' }} @@ -75,7 +68,7 @@ jobs: echo ' make release' exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: "/language:${{matrix.language}}" @@ -106,12 +99,6 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 - - name: Setup uses: ./.github/actions/setup @@ -129,13 +116,10 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs queries: ${{ matrix.language && 'security-extended, security-and-quality' }} @@ -143,13 +127,14 @@ jobs: - if: matrix.build-mode == 'manual' shell: bash run: | + mkdir example cd example yarn install cd android ./gradlew clean - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: "/language:${{matrix.language}}" @@ -187,7 +172,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -209,6 +194,6 @@ jobs: xcodebuild -workspace ReactNativeSdkExample.xcworkspace -scheme ReactNativeSdkExample -configuration Debug -destination 'platform=iOS Simulator,name=iPhone 16' build - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: "/language:${{matrix.language}}" From df9669817e95820c26b913efa269e3944e6878a8 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Wed, 3 Jun 2026 09:26:41 -0400 Subject: [PATCH 02/18] removed the mkdir --- .github/workflows/codeql.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ab48ad828..2901deff1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -127,7 +127,6 @@ jobs: - if: matrix.build-mode == 'manual' shell: bash run: | - mkdir example cd example yarn install cd android From 7dbeafa7be05d83d393401453f795aac73a51bc0 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Wed, 3 Jun 2026 10:09:01 -0400 Subject: [PATCH 03/18] Updating the setup java version --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2901deff1..c483ab6c6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -104,7 +104,7 @@ jobs: - name: Install JDK if: env.turbo_cache_hit != 1 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: distribution: 'zulu' java-version: '17' From f7c5d847933fa426bdcd4ece064bf4cceab3481a Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 09:45:12 -0400 Subject: [PATCH 04/18] Adding no build and no cache --- .github/workflows/codeql.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c483ab6c6..5db115d39 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -102,6 +102,14 @@ jobs: - name: Setup uses: ./.github/actions/setup + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '22' + + - name: Install Dependencies + run: npm install + - name: Install JDK if: env.turbo_cache_hit != 1 uses: actions/setup-java@v4 @@ -130,7 +138,7 @@ jobs: cd example yarn install cd android - ./gradlew clean + ./gradlew clean --no-daemon --no-build-cache - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From 4886be00730dada360effba32e8ef44c260c65cd Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 09:48:19 -0400 Subject: [PATCH 05/18] changing build --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5db115d39..c8901ff51 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -138,7 +138,7 @@ jobs: cd example yarn install cd android - ./gradlew clean --no-daemon --no-build-cache + ./gradlew compileKotlin compileJava --no-daemon --no-build-cache - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From 280596b49c17e720621b24e70be445579fc4d583 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 09:52:03 -0400 Subject: [PATCH 06/18] adding legacy deps --- .github/workflows/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c8901ff51..5685c4d8c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -137,6 +137,7 @@ jobs: run: | cd example yarn install + npm install --legacy-peer-deps cd android ./gradlew compileKotlin compileJava --no-daemon --no-build-cache From 94483d270c167d48411e169081019bb9ecf7acfe Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 10:08:33 -0400 Subject: [PATCH 07/18] Moved legacy deps install --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5685c4d8c..8e6007ac0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -108,7 +108,7 @@ jobs: node-version: '22' - name: Install Dependencies - run: npm install + run: npm install --legacy-peer-deps - name: Install JDK if: env.turbo_cache_hit != 1 @@ -137,7 +137,7 @@ jobs: run: | cd example yarn install - npm install --legacy-peer-deps + cd android ./gradlew compileKotlin compileJava --no-daemon --no-build-cache From ec3072cb74dd38a56d8339d2b2b1b9310f2f60f7 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 10:11:58 -0400 Subject: [PATCH 08/18] adding yarn install --- .github/workflows/codeql.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8e6007ac0..9a4f0253c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -108,7 +108,9 @@ jobs: node-version: '22' - name: Install Dependencies - run: npm install --legacy-peer-deps + run: | + npm install --legacy-peer-deps + yarn install - name: Install JDK if: env.turbo_cache_hit != 1 From 51d49c4b2af10ca80a8c9877409c9e4899107e33 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 10:14:48 -0400 Subject: [PATCH 09/18] Making it yarn install only --- .github/workflows/codeql.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9a4f0253c..cbc6ecba7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -109,7 +109,6 @@ jobs: - name: Install Dependencies run: | - npm install --legacy-peer-deps yarn install - name: Install JDK From 676498c6b8b00647c52ccb82c80e8834194dcb06 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 10:22:39 -0400 Subject: [PATCH 10/18] reverting back to node20 --- .github/workflows/codeql.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index cbc6ecba7..4fdf83781 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -105,7 +105,7 @@ jobs: - name: Setup Node.js uses: actions/setup-node@v4 with: - node-version: '22' + node-version: '20' - name: Install Dependencies run: | @@ -138,7 +138,6 @@ jobs: run: | cd example yarn install - cd android ./gradlew compileKotlin compileJava --no-daemon --no-build-cache From b1dbac9592bda40c896834964d25732fb8062bd9 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 10:33:51 -0400 Subject: [PATCH 11/18] checking for node --- .github/workflows/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4fdf83781..65bbb2704 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -139,6 +139,7 @@ jobs: cd example yarn install cd android + npx -v ./gradlew compileKotlin compileJava --no-daemon --no-build-cache - name: Perform CodeQL Analysis From 4a0abe3b9ab8828a7945476cf01b629ff8a0bcd8 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 10:38:52 -0400 Subject: [PATCH 12/18] moved the npx command up --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 65bbb2704..072c2887e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -137,9 +137,9 @@ jobs: shell: bash run: | cd example + npx -v yarn install cd android - npx -v ./gradlew compileKotlin compileJava --no-daemon --no-build-cache - name: Perform CodeQL Analysis From e1647d922bb681dc87e7262cf43a0687dac9e63e Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 10:51:24 -0400 Subject: [PATCH 13/18] removing the setup step --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 072c2887e..8afe85018 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -99,8 +99,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Setup - uses: ./.github/actions/setup +# - name: Setup +# uses: ./.github/actions/setup - name: Setup Node.js uses: actions/setup-node@v4 From 7589d8b091eb7a51c3686d70e1860ca5fd89e023 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 10:58:23 -0400 Subject: [PATCH 14/18] reverting back to gradle clean --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8afe85018..9223b493f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -140,7 +140,7 @@ jobs: npx -v yarn install cd android - ./gradlew compileKotlin compileJava --no-daemon --no-build-cache + ./gradlew clean - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From 3795bd0fb535a9502b17e0f66b8cf4e601d01692 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 13:54:34 -0400 Subject: [PATCH 15/18] Changed the runs on and removed unnecessary steps --- .github/workflows/codeql.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9223b493f..7da871fd8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,7 +22,7 @@ concurrency: jobs: Analyze_Ruby_JSandTS: name: Analyze (${{ matrix.language }}) - runs-on: gha-runner-no-perms + runs-on: gha-runner-ecr-publish permissions: # required for all workflows security-events: write @@ -99,13 +99,10 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 -# - name: Setup -# uses: ./.github/actions/setup - - name: Setup Node.js uses: actions/setup-node@v4 with: - node-version: '20' + node-version: '24' - name: Install Dependencies run: | @@ -137,7 +134,6 @@ jobs: shell: bash run: | cd example - npx -v yarn install cd android ./gradlew clean From 067f7bed220836a2282a0c37d23eb0da87496c45 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 14:35:29 -0400 Subject: [PATCH 16/18] Changing runs on for non-kotlin/ios --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7da871fd8..a49ccd39e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,7 +22,7 @@ concurrency: jobs: Analyze_Ruby_JSandTS: name: Analyze (${{ matrix.language }}) - runs-on: gha-runner-ecr-publish + runs-on: [self-hosted] permissions: # required for all workflows security-events: write From 5b0353aea57da8209339a5377be55d5323a76986 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 14:40:43 -0400 Subject: [PATCH 17/18] changing build for ruby and TS --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a49ccd39e..e0ffe0625 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,9 +41,9 @@ jobs: - language: actions build-mode: none - language: javascript-typescript - build-mode: none + build-mode: autobuild - language: ruby - build-mode: none + build-mode: autobuild steps: - name: Checkout repository uses: actions/checkout@v4 From a75f2349b986aa00d9beb07985a02f8a883fd16e Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 8 Jun 2026 14:49:57 -0400 Subject: [PATCH 18/18] changing to ubuntu --- .github/workflows/codeql.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e0ffe0625..1de36d092 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,7 +22,7 @@ concurrency: jobs: Analyze_Ruby_JSandTS: name: Analyze (${{ matrix.language }}) - runs-on: [self-hosted] + runs-on: ubuntu-latest permissions: # required for all workflows security-events: write @@ -41,9 +41,9 @@ jobs: - language: actions build-mode: none - language: javascript-typescript - build-mode: autobuild + build-mode: none - language: ruby - build-mode: autobuild + build-mode: none steps: - name: Checkout repository uses: actions/checkout@v4