From a917cabb7446fab28296db3cb3b7093d5c8907d5 Mon Sep 17 00:00:00 2001 From: Valter Silva Date: Sat, 6 Jun 2026 16:42:43 +0800 Subject: [PATCH 1/3] build(deps): enable Dependabot for gomod and github-actions Adds weekly Dependabot version + security update checks for Go modules and GitHub Actions, with chore(deps) Conventional Commit prefixes. --- .github/dependabot.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..3bab678 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,25 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +version: 2 +updates: + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore(deps)" + include: "scope" + labels: + - "dependencies" + - "go" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore(deps)" + include: "scope" + labels: + - "dependencies" + - "github-actions" From c1a2e446f2974f56bfc828b8b0589d783fd44ba1 Mon Sep 17 00:00:00 2001 From: Valter Silva Date: Sat, 6 Jun 2026 16:42:43 +0800 Subject: [PATCH 2/3] ci: add CodeQL code scanning for Go Weekly + push/PR CodeQL analysis with least-privilege permissions. Actions pinned to full commit SHAs, matching the repo's existing convention. --- .github/workflows/codeql.yml | 49 ++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..3cc4608 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,49 @@ +name: "CodeQL" + +on: + push: + branches: + - main + pull_request: + branches: + - main + schedule: + - cron: '0 1 * * 1' # weekly, Monday 01:00 UTC + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'go' ] + + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Set up Go + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + with: + go-version: "1.25" + cache: true + + - name: Initialize CodeQL + uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3 From 2b5cc0a6f334c5f6251083ee3f2de85fc258dd77 Mon Sep 17 00:00:00 2001 From: Valter Silva Date: Sat, 6 Jun 2026 17:24:38 +0800 Subject: [PATCH 3/3] Revert "ci: add CodeQL code scanning for Go" tecli already has CodeQL *default setup* enabled at the repo level, and an advanced workflow cannot coexist with it ("CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled"). Go code scanning should instead be enabled by adding the 'go' language to the existing default setup (Settings -> Code security -> CodeQL default setup), which is a repo-settings change, not a workflow file. This PR now ships only the Dependabot configuration. --- .github/workflows/codeql.yml | 49 ------------------------------------ 1 file changed, 49 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 3cc4608..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: "CodeQL" - -on: - push: - branches: - - main - pull_request: - branches: - - main - schedule: - - cron: '0 1 * * 1' # weekly, Monday 01:00 UTC - -permissions: - contents: read - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'go' ] - - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Set up Go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - with: - go-version: "1.25" - cache: true - - - name: Initialize CodeQL - uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3 - with: - languages: ${{ matrix.language }} - - - name: Autobuild - uses: github/codeql-action/autobuild@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3