From 6e77c10c6cd6125248ab6b29b737fa8f2fe102fb Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Mon, 27 Apr 2026 15:25:38 -0700 Subject: [PATCH] fix(ci): harden macOS CodeQL SARIF filtering Harden the macOS CodeQL SARIF filter to drop only findings whose primary location is SwiftPM build output. Verified with workflow sanity, local jq filtering, full PR CI, and profile=macos-security branch proof in 18m44s. --- .github/workflows/codeql.yml | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 29c62fd4b6d..2179539f795 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -156,31 +156,33 @@ jobs: - name: Remove dependency build results env: - SARIF_OUTPUT: ${{ steps.analyze.outputs.sarif-output }} + SARIF_OUTPUT: sarif-results run: | set -euo pipefail + shopt -s nullglob + + if [ ! -d "$SARIF_OUTPUT" ]; then + echo "SARIF output directory not found: $SARIF_OUTPUT" >&2 + exit 1 + fi + mkdir -p sarif-results-filtered - found=0 - for file in "$SARIF_OUTPUT"/*.sarif; do - if [ ! -e "$file" ]; then - continue - fi + files=("$SARIF_OUTPUT"/*.sarif) + if [ "${#files[@]}" -eq 0 ]; then + echo "No SARIF files found in $SARIF_OUTPUT" >&2 + exit 1 + fi - found=1 + for file in "${files[@]}"; do jq ' def in_dependency_build: - any(.locations[]?; (.physicalLocation.artifactLocation.uri? // "") | test("(^|/)\\.build/")); + ((.locations[0].physicalLocation.artifactLocation.uri? // "") | test("^apps/macos/\\.build/")); .runs |= map(.results = ((.results // []) | map(select(in_dependency_build | not)))) ' "$file" > "sarif-results-filtered/$(basename "$file")" done - if [ "$found" -eq 0 ]; then - echo "No SARIF files found in $SARIF_OUTPUT" >&2 - exit 1 - fi - - name: Upload filtered SARIF uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: