Initial commit

Author: camihmerhar

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "monthly"

.github/steps/-step.txt

@@ -0,0 +1 @@
+0

.github/steps/0-welcome.md

@@ -0,0 +1 @@
+<!-- readme -->

.github/steps/1-codeql-language-matrix.md

@@ -0,0 +1,44 @@
+## Step 1: Add a language matrix to your CodeQL workflow file
+
+_Welcome to "Configuring a CodeQL language matrix"! :wave:_
+
+## CodeQL language matrices
+
+CodeQL language matrices allow you to configure your CodeQL workflows with a language matrix to simplify your code scanning workflows. This allows you to have a single code scanning workflow that covers all the languages in your repository.
+
+### Importance of using languages matrices with code scanning
+
+1. **Simplicity**: Using a language matrix with CodeQL simplifies your workflow by allowing you to manage multiple languages in a single workflow file. This eliminates the need for separate workflows for each language, making your code scanning process more streamlined and manageable.
+2. **Flexibility**: A language matrix provides flexibility as it allows you to easily add or remove languages from your workflow. This means you can quickly adapt your code scanning process to changes in your project's language usage.
+3. **Consistency**: By using a language matrix, you ensure consistent code scanning across all languages used in your project. This helps maintain the quality and security of your codebase, regardless of the language it's written in.
+
+Remember, a well-configured CodeQL setup is key to maintaining a secure and reliable codebase.
+
+### :keyboard: Activity: Configure your `codeql.yml` file to use a language matrix
+
+1. Navigate to the `Code` tab and locate the `.github/workflows` folder.
+1. Add the following content to the `codeql.yml` file before the steps section:
+ ```yaml
+ strategy:
+ fail-fast: false
+ matrix:
+ language: [ 'go', 'java-kotlin', 'javascript-typescript', 'python' ]
+ # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]
+ # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both
+ # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+ # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+ ```
+1. Ensure that your indentation is correct after adding the strategy section.
+1. Now that you have added the strategy, you need to update CodeQL to actually use the language matrix. Add the following to the CodeQL init action:
+ ```yaml
+ with:
+ languages: ${{ matrix.language }}
+ ```
+1. Finally we need to add the language matrix to the CodeQL analyze action. Add the following to the CodeQL analyze action:
+ ```yaml
+ with:
+ category: ${{ matrix.language }}
+ ```
+1. Commit the changes directly to the `main` branch.
+1. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step.

.github/steps/2-codeql-autobuild.md

@@ -0,0 +1,35 @@
+## Step 2: Have autobuild run only when needed
+
+_Nice work! :tada: You modified your workflow to use a language matrix!_
+
+With the language matrix specified we can see the languages that we want to scan. One of those languages is a compiled language, and as such will not work correctly with how we have the workflow set up. We need to make sure that the autobuild step is included _and_ only runs when it is needed.
+
+Autobuild for CodeQL is a feature that automatically attempts to build any compiled languages in your repository. It works by detecting the build system in your repository and executing the appropriate commands to compile the code, enabling CodeQL to analyze the compiled language.
+
+Let's try this out with our existing CodeQL workflow file.
+
+### :keyboard: Activity: Configure the workflow to use autobuild for the `java-kotlin` language
+
+1. Navigate to the `.github/workflows` directory in your repository.
+1. Open the `codeql.yml` file.
+1. Add the autobuild step to the file in between the `Initialize CodeQL` and `Perform CodeQL Analysis` steps:
+ ```yaml
+ - name: Autobuild
+ uses: github/codeql-action/autobuild@v3
+ ```
+1. Ensure that your indentation is correct after adding the step.
+1. Now we need to make sure that the autobuild step only runs when it is needed. Add to the `Autobuild` step a conditional expression that checks to make sure the language is `java-kotlin`.
+
+<details>
+ <summary>Autobuild step after adding conditional</summary>
+
+```yaml
+ - if: ${{ contains(matrix.language, 'java-kotlin') }}
+ name: Autobuild
+ uses: github/codeql-action/autobuild@v3
+```
+
+</details>
+ 
+1. Commit the changes directly to the `main` branch.
+1. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step.

.github/steps/X-finish.md

@@ -0,0 +1,23 @@
+## Finish
+
+_Congratulations friend, you've completed this course!_
+
+<img src="https://octodex.github.com/images/welcometocat.png" alt=celebrate width=300 align=right>
+
+Here's a recap of all the tasks you've accomplished in your repository:
+
+- You've learned how to use a language matrix with CodeQL workflows.
+- You've learned how about the CodeQL autobuild action works.
+- You've learned how to use contextual expressions.
+
+### Additional learning and resources
+
+- [Configuring code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning)
+
+### What's next?
+
+- Learn more about autobuild for compiled languages: [CodeQL code scanning for compiled languages](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages).
+- [We'd love to hear what you thought of this course](https://github.com/skills/.github/discussions).
+- [Learn another GitHub skill](https://github.com/skills).
+- [Read the Get started with GitHub docs](https://docs.github.com/en/get-started).
+- To find projects to contribute to, check out [GitHub Explore](https://github.com/explore).

.github/workflows/0-welcome.yml

@@ -0,0 +1,61 @@
+name: Step 0, Welcome
+
+# This step triggers after the learner creates a new repository from the template.
+# This workflow updates from step 0 to step 1.
+
+# This will run every time we create push a commit to `main`.
+# Reference: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows
+on:
+ create:
+ workflow_dispatch:
+
+# Reference: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
+permissions:
+ # Need `contents: read` to checkout the repository.
+ # Need `contents: write` to update the step metadata.
+ contents: write
+
+jobs:
+ # Get the current step to only run the main job when the learner is on the same step.
+ get_current_step:
+ name: Check current step number
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ - id: get_step
+ run: |
+ echo "current_step=$(cat ./.github/steps/-step.txt)" >> $GITHUB_OUTPUT
+ outputs:
+ current_step: ${{ steps.get_step.outputs.current_step }}
+
+ on_start:
+ name: On start
+ needs: get_current_step
+
+ # We will only run this action when:
+ # 1. This repository isn't the template repository.
+ # 2. The step is currently 0.
+ # Reference: https://docs.github.com/en/actions/learn-github-actions/contexts
+ # Reference: https://docs.github.com/en/actions/learn-github-actions/expressions
+ if: >-
+ ${{ !github.event.repository.is_template
+ && needs.get_current_step.outputs.current_step == 0 }}
+
+ # We'll run Ubuntu for performance instead of Mac or Windows.
+ runs-on: ubuntu-latest
+
+ steps:
+ # We'll need to check out the repository so that we can edit the README.
+ - name: Checkout
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0 # Let's get all the branches.
+
+ # In README.md, switch step 0 for step 1.
+ - name: Update to step 1
+ uses: skills/action-update-step@v2
+ with:
+ token: ${{ secrets.GITHUB_TOKEN }}
+ from_step: 0
+ to_step: 1

.github/workflows/1-codeql-language-matrix.yml

@@ -0,0 +1,84 @@
+name: Step 1, Add a language matrix to your CodeQL workflow file
+
+# This step triggers after push to codeql.yml.
+# This workflow updates from step 1 to step 2.
+
+# This will run every time we push to main.
+# Reference: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows
+on:
+ workflow_dispatch:
+ push:
+ branches:
+ - main
+ paths:
+ - ".github/workflows/codeql.yml"
+
+# Reference: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
+permissions:
+ # Need `contents: read` to checkout the repository.
+ # Need `contents: write` to update the step metadata.
+ contents: write
+
+jobs:
+ # Get the current step to only run the main job when the learner is on the same step.
+ get_current_step:
+ name: Check current step number
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ - id: get_step
+ run: |
+ echo "current_step=$(cat ./.github/steps/-step.txt)" >> $GITHUB_OUTPUT
+ outputs:
+ current_step: ${{ steps.get_step.outputs.current_step }}
+
+ on_add_strategy:
+ name: On Add Strategy
+ needs: get_current_step
+
+ # We will only run this action when:
+ # 1. This repository isn't the template repository.
+ # 2. The step is currently 0.
+ # Reference: https://docs.github.com/en/actions/learn-github-actions/contexts
+ # Reference: https://docs.github.com/en/actions/learn-github-actions/expressions
+ if: >-
+ ${{ !github.event.repository.is_template
+ && needs.get_current_step.outputs.current_step == 1 }}
+
+ # We'll run Ubuntu for performance instead of Mac or Windows.
+ runs-on: ubuntu-latest
+
+ steps:
+ # We'll need to check out the repository so that we can edit the README.
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ # Verify the learner added the file contents.
+ - name: Check workflow contents, jobs
+ uses: skills/action-check-file@v1
+ with:
+ file: ".github/workflows/codeql.yml"
+ search: "matrix:"
+
+ # Verify the learner added the file contents.
+ - name: Check workflow contents, jobs
+ uses: skills/action-check-file@v1
+ with:
+ file: ".github/workflows/codeql.yml"
+ search: "languages:"
+
+ # Verify the learner added the file contents.
+ - name: Check workflow contents, jobs
+ uses: skills/action-check-file@v1
+ with:
+ file: ".github/workflows/codeql.yml"
+ search: "category:"
+
+ # In README.md, switch step 1 for step 2.
+ - name: Update to step 2
+ uses: skills/action-update-step@v2
+ with:
+ token: ${{ secrets.GITHUB_TOKEN }}
+ from_step: 1
+ to_step: 2

.github/workflows/2-codeql-autobuild.yml

@@ -0,0 +1,72 @@
+name: Step 2, Have autobuild run only when needed
+
+# This step triggers after push to codeql.yml.
+# This step updates from step 2 to X.
+
+# This will run every time we push to dependabot.yml.
+# Reference: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows
+on:
+ workflow_dispatch:
+ push:
+ branches:
+ - main
+ paths:
+ - ".github/workflows/codeql.yml"
+
+# Reference: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
+permissions:
+ # Need `contents: read` to checkout the repository.
+ # Need `contents: write` to update the step metadata.
+ contents: write
+
+jobs:
+ # Get the current step to only run the main job when the learner is on the same step.
+ get_current_step:
+ name: Check current step number
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ - id: get_step
+ run: |
+ echo "current_step=$(cat ./.github/steps/-step.txt)" >> $GITHUB_OUTPUT
+ outputs:
+ current_step: ${{ steps.get_step.outputs.current_step }}
+
+ on_add_autobuild:
+ name: On Add Autobuild
+ needs: get_current_step
+
+ # We will only run this action when:
+ # 1. This repository isn't the template repository.
+ # 2. The step is currently 2.
+ # Reference: https://docs.github.com/en/actions/learn-github-actions/contexts
+ # Reference: https://docs.github.com/en/actions/learn-github-actions/expressions
+ if: >-
+ ${{ !github.event.repository.is_template
+ && needs.get_current_step.outputs.current_step == 2 }}
+
+ # We'll run Ubuntu for performance instead of Mac or Windows.
+ runs-on: ubuntu-latest
+
+ steps:
+ # We'll need to check out the repository so that we can edit the README.
+ - name: Checkout
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0 # Let's get all the branches.
+
+ # Verify the learner added the file contents.
+ - name: Check workflow contents, jobs
+ uses: skills/action-check-file@v1
+ with:
+ file: ".github/workflows/codeql.yml"
+ search: "contains\\(matrix\\.language, 'java-kotlin'\\)"
+
+ # In README.md, switch step 2 for step X.
+ - name: Update to step X
+ uses: skills/action-update-step@v2
+ with:
+ token: ${{ secrets.GITHUB_TOKEN }}
+ from_step: 2
+ to_step: X

.github/workflows/codeql.yml

@@ -0,0 +1,25 @@
+name: "Code Scanning - Action"
+
+on:
+ pull_request:
+ branches: [main]
+
+jobs:
+ CodeQL-Build:
+ runs-on: ubuntu-latest
+
+ permissions:
+ # required for all workflows
+ security-events: write
+ actions: read
+ contents: read
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v3
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v3