From 2dd3fcedccced8b08951260d264dfc6011c76de2 Mon Sep 17 00:00:00 2001 From: Muiris Woulfe Date: Wed, 15 May 2024 18:55:42 +0100 Subject: [PATCH 1/5] Create codeql.yml --- .github/workflows/codeql.yml | 45 ++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..90d88aac --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,45 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +--- + +name: CodeQL + +on: + push: + branches: + - main + pull_request: + branches: + - main + schedule: + - cron: 0 0 * * 1 + workflow_dispatch: null + +permissions: {} + +jobs: + analyze: + name: Analyze JavaScript & TypeScript + runs-on: ubuntu-latest + timeout-minutes: 360 + permissions: + security-events: write + steps: + - name: Checkout + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + + - name: Initialize + uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + with: + languages: javascript-typescript + build-mode: none + config-file: .github/linters/codeql.yml + queries: security-extended,security-and-quality + + - name: Analyze + uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + with: + category: /language:javascript-typescript + +... From f51831a5e26d9df3df9c2e37129dd02976f4f7d5 Mon Sep 17 00:00:00 2001 From: Muiris Woulfe Date: Wed, 15 May 2024 18:56:42 +0100 Subject: [PATCH 2/5] Removing existing CodeQL definition --- .github/workflows/build.yml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 53f7f138..87b4864a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -270,24 +270,6 @@ jobs: print-valid-files: true strict: false - validate-codeql: - name: Validate – CodeQL - runs-on: ubuntu-latest - permissions: - security-events: write - steps: - - name: Checkout - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - - - name: Initialize - uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 - with: - config-file: .github/linters/codeql.yml - queries: security-extended,security-and-quality - - - name: Analyze - uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 - validate-linter: name: Validate – Linter runs-on: ubuntu-latest From 97af8d11adbfec6cc7abd2a51f7d678dd308ee68 Mon Sep 17 00:00:00 2001 From: Muiris Woulfe Date: Thu, 16 May 2024 10:55:02 +0100 Subject: [PATCH 3/5] Updating PR template --- .github/pull_request_template.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 836519b2..25b69a46 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,14 +1,8 @@ ## Summary -### Motivation - - - -### Technical - - + ## Testing From 370eae5e03ffddadaa4aaa1f28799412c4806296 Mon Sep 17 00:00:00 2001 From: Muiris Woulfe Date: Thu, 16 May 2024 14:43:01 +0100 Subject: [PATCH 4/5] Updating comment --- .github/workflows/release-phase-1-internal.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-phase-1-internal.yml b/.github/workflows/release-phase-1-internal.yml index 691b5975..4e4fcf13 100644 --- a/.github/workflows/release-phase-1-internal.yml +++ b/.github/workflows/release-phase-1-internal.yml @@ -181,8 +181,9 @@ jobs: --assignee "${{ github.actor }}" --reviewer "${{ github.actor }}" env: - # Classic Personal Access Token (PAT) with the "repo" permission for microsoft. Fine-grained PATs will - # not work due to GitHub CLI's dependence on GraphQL. + # Fine-grained Personal Access Token (PAT) with the following permissions for microsoft/PR-Metrics: + # - Read access to Metadata + # - Read and Write access to Pull Requests GITHUB_TOKEN: ${{ secrets.RELEASE_PHASE_1_PR_CREATE }} - name: PR – Comment From 3354570f0df4f50106534bd8b3b4add5901f5b8a Mon Sep 17 00:00:00 2001 From: Muiris Woulfe Date: Thu, 16 May 2024 17:59:09 +0100 Subject: [PATCH 5/5] Adding more comments --- .github/azure-devops/template.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/azure-devops/template.yml b/.github/azure-devops/template.yml index b4f91759..4530319b 100644 --- a/.github/azure-devops/template.yml +++ b/.github/azure-devops/template.yml @@ -91,6 +91,9 @@ stages: - task: PRMetrics@1 displayName: PR Metrics env: + # Fine-grained Personal Access Token (PAT) with the following permissions for microsoft/PR-Metrics: + # - Read access to Metadata + # - Read and Write access to Pull Requests PR_METRICS_ACCESS_TOKEN: $(GITHUB_PAT) inputs: file-matching-patterns: | @@ -119,6 +122,9 @@ stages: - task: PRMetrics@1 displayName: PR Metrics env: + # Fine-grained Personal Access Token (PAT) with the following permissions for microsoft/PR-Metrics: + # - Read access to Metadata + # - Read and Write access to Pull Requests PR_METRICS_ACCESS_TOKEN: $(GITHUB_PAT) inputs: file-matching-patterns: | @@ -147,6 +153,9 @@ stages: - task: PRMetrics@1 displayName: PR Metrics env: + # Fine-grained Personal Access Token (PAT) with the following permissions for microsoft/PR-Metrics: + # - Read access to Metadata + # - Read and Write access to Pull Requests PR_METRICS_ACCESS_TOKEN: $(GITHUB_PAT) inputs: file-matching-patterns: |