From b854402ab6d41aa273ff6eff343bcace2684d76c Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 19:52:14 -0600 Subject: [PATCH 01/12] ci: update CodeQL workflow to use Node.js 24-compatible action versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bump actions/checkout v4 → v5 and github/codeql-action v3 → v4 to resolve GitHub Actions Node.js 20 deprecation warnings. Node.js 20 actions will be forced to Node.js 24 starting June 2, 2026. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 68d2c6929..eb6c8cdc5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,18 +26,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@v4 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: '/language:${{ matrix.language }}' @@ -48,13 +48,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Select Xcode run: sudo xcode-select -s /Applications/Xcode_26.0.1.app/Contents/Developer - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: swift @@ -62,6 +62,6 @@ jobs: run: swift build --target GutenbergKit --target GutenbergKitHTTP - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: '/language:swift' From a9e5b4f131866f7ceb2441cdbbbf3589b9412f7e Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 19:53:03 -0600 Subject: [PATCH 02/12] ci: add Dependabot monitoring for GitHub Actions Add `github-actions` package ecosystem to dependabot.yml so action version updates (checkout, codeql-action, etc.) are tracked automatically alongside npm dependencies. Co-Authored-By: Claude Opus 4.6 --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 35d6fb548..872d93a0c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,3 +15,7 @@ updates: update-types: ['version-update:semver-major'] - dependency-name: 'eslint-plugin-react-refresh' # eslint-plugin-react-refresh@>=0.5.x requires eslint@>=9.x.x, blocked by https://github.com/WordPress/gutenberg/issues/64782 update-types: ['version-update:semver-minor'] + - package-ecosystem: 'github-actions' + directory: '/' + schedule: + interval: 'weekly' From d2a7003c0e908744d45a23959d6bef629d9c8139 Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 20:31:45 -0600 Subject: [PATCH 03/12] ci: use source-level extraction for interpreted CodeQL languages Set build-mode: none for the interpreted languages job (actions, java-kotlin, javascript-typescript) and remove the autobuild step. This ensures CodeQL extracts all Kotlin source files rather than only those reachable from a single Gradle build (51/90 previously). Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index eb6c8cdc5..6026e8cff 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,9 +32,7 @@ jobs: uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} - - - name: Autobuild - uses: github/codeql-action/autobuild@v4 + build-mode: none - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From f5b68f3f4c389c4c5d0da764ae359aa02d28b530 Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 20:32:57 -0600 Subject: [PATCH 04/12] ci: build all Swift targets for CodeQL analysis Change from building only GutenbergKit and GutenbergKitHTTP to building all targets including tests. Previously only 11/132 Swift files were scanned. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6026e8cff..570f01012 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -57,7 +57,7 @@ jobs: languages: swift - name: Build Swift package - run: swift build --target GutenbergKit --target GutenbergKitHTTP + run: swift build --build-tests - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From 99ff8e77d298edaee2840b2e4474497f35453ea5 Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 20:34:34 -0600 Subject: [PATCH 05/12] ci: include Demo app in CodeQL Swift analysis Add xcodebuild step for the Demo-iOS Xcode project so its 14 Swift files are also scanned by CodeQL. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 570f01012..b2e586d16 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -59,6 +59,9 @@ jobs: - name: Build Swift package run: swift build --build-tests + - name: Build Demo app + run: xcodebuild build -project ios/Demo-iOS/Gutenberg.xcodeproj -scheme Gutenberg -destination 'generic/platform=iOS' CODE_SIGNING_ALLOWED=NO + - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 with: From a81704e727409284bd5f29646ad3ffc78058f5b7 Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 20:39:49 -0600 Subject: [PATCH 06/12] ci: use autobuild for java-kotlin CodeQL analysis java-kotlin requires compilation and cannot use build-mode: none. Use a matrix include to set the build mode per language: autobuild for java-kotlin, none for actions and javascript-typescript. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b2e586d16..028c826c8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,7 +22,13 @@ jobs: strategy: fail-fast: false matrix: - language: [actions, java-kotlin, javascript-typescript] + include: + - language: actions + build-mode: none + - language: java-kotlin + build-mode: autobuild + - language: javascript-typescript + build-mode: none steps: - name: Checkout repository @@ -32,7 +38,7 @@ jobs: uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} - build-mode: none + build-mode: ${{ matrix.build-mode }} - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From a4c9c1fbb0c2614637e36b34f4635fe41d8881b1 Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 20:41:01 -0600 Subject: [PATCH 07/12] ci: use manual Gradle build for Kotlin CodeQL analysis Autobuild only compiled 51/90 Kotlin files. Replace it with a dedicated job that runs compileDebugSources, compileDebugTestSources, and compileDebugAndroidTestSources across both modules to ensure full coverage. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql.yml | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 028c826c8..73347d8be 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,13 +22,7 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: actions - build-mode: none - - language: java-kotlin - build-mode: autobuild - - language: javascript-typescript - build-mode: none + language: [actions, javascript-typescript] steps: - name: Checkout repository @@ -38,13 +32,35 @@ jobs: uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 with: category: '/language:${{ matrix.language }}' + analyze-kotlin: + name: Analyze (java-kotlin) + runs-on: ubuntu-latest + timeout-minutes: 30 + + steps: + - name: Checkout repository + uses: actions/checkout@v5 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: java-kotlin + + - name: Build Android project + run: cd android && ./gradlew compileDebugSources compileDebugTestSources compileDebugAndroidTestSources + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: '/language:java-kotlin' + analyze-swift: name: Analyze (swift) runs-on: macos-15 From 23360a8c5d30668cb279e075d03f006157462508 Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 21:56:17 -0600 Subject: [PATCH 08/12] ci: fix ambiguous Gradle task name in CodeQL workflow Use `compileDebugUnitTestSources` instead of the ambiguous `compileDebugTestSources` which matches both unit and Android test source sets. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 73347d8be..cbb7b8fb0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -54,7 +54,7 @@ jobs: languages: java-kotlin - name: Build Android project - run: cd android && ./gradlew compileDebugSources compileDebugTestSources compileDebugAndroidTestSources + run: cd android && ./gradlew compileDebugSources compileDebugUnitTestSources compileDebugAndroidTestSources - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From a04b5bb0f0df49f285389326b97a29713361502f Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 22:08:29 -0600 Subject: [PATCH 09/12] ci: drop androidTest compilation from CodeQL Kotlin analysis The compileDebugAndroidTestSources task fails because Espresso Web and Compose test dependencies aren't available on the CI runner. These instrumentation tests in the demo app aren't useful targets for static security analysis, so just compile main and unit test sources. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index cbb7b8fb0..f717c9b4d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -54,7 +54,7 @@ jobs: languages: java-kotlin - name: Build Android project - run: cd android && ./gradlew compileDebugSources compileDebugUnitTestSources compileDebugAndroidTestSources + run: cd android && ./gradlew compileDebugSources compileDebugUnitTestSources - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From b2e44777558b1b80bdb55a687b58301ab6b05e67 Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 15 Apr 2026 12:19:33 -0600 Subject: [PATCH 10/12] ci: increase Swift CodeQL timeout from 30m to 45m The swift build + Demo app xcodebuild completes but takes ~30m on macos-15 runners, hitting the timeout boundary during the Demo app build step. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f717c9b4d..1fbaeb2d9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -64,7 +64,7 @@ jobs: analyze-swift: name: Analyze (swift) runs-on: macos-15 - timeout-minutes: 30 + timeout-minutes: 45 steps: - name: Checkout repository From 4286590b7ce0e92d47d3e658ac3bc2848234b45a Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 15 Apr 2026 12:36:09 -0600 Subject: [PATCH 11/12] ci: cache SPM dependencies and remove stale Package.resolved pin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SPM version resolution takes ~9 minutes on a cold CI cache because it clones each dependency mirror and parses Package.swift for every candidate version. Caching the SPM repository mirrors across runs avoids this. Also removes a stale wordpress-rs pin from Package.resolved — it's not in Package.swift and shouldn't be resolved. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql.yml | 9 +++++++++ Package.resolved | 11 +---------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1fbaeb2d9..cc270aa14 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -73,6 +73,15 @@ jobs: - name: Select Xcode run: sudo xcode-select -s /Applications/Xcode_26.0.1.app/Contents/Developer + - name: Cache SPM dependencies + uses: actions/cache@v4 + with: + path: | + ~/Library/Caches/org.swift.swiftpm/repositories + key: spm-${{ runner.os }}-${{ hashFiles('Package.resolved') }} + restore-keys: | + spm-${{ runner.os }}- + - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: diff --git a/Package.resolved b/Package.resolved index 62c421983..276dce0b9 100644 --- a/Package.resolved +++ b/Package.resolved @@ -1,5 +1,5 @@ { - "originHash" : "b5958ced5a4c7d544f45cfa6cdc8cd0441f5e176874baac30922b53e6cc5aefc", + "originHash" : "c32e016069801ed394dc3903d2fe2eb6082b812eac4efb8b8c62b5d6de294a5d", "pins" : [ { "identity" : "svgview", @@ -18,15 +18,6 @@ "revision" : "aa85ee96017a730031bafe411cde24a08a17a9c9", "version" : "2.8.8" } - }, - { - "identity" : "wordpress-rs", - "kind" : "remoteSourceControl", - "location" : "https://github.com/Automattic/wordpress-rs", - "state" : { - "branch" : "alpha-20260313", - "revision" : "cde2fda82257f4ac7b81543d5b831bb267d4e52c" - } } ], "version" : 3 From 9e0f9137d9d4d10d74ba48e9ddc311c5f96a9558 Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 15 Apr 2026 12:51:41 -0600 Subject: [PATCH 12/12] ci: drop --build-tests from Swift CodeQL build swift build --build-tests compiles test targets that import UIKit, which isn't available when building for macOS on CI. The library targets are sufficient for CodeQL analysis. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index cc270aa14..8bc0f95df 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -88,7 +88,7 @@ jobs: languages: swift - name: Build Swift package - run: swift build --build-tests + run: swift build - name: Build Demo app run: xcodebuild build -project ios/Demo-iOS/Gutenberg.xcodeproj -scheme Gutenberg -destination 'generic/platform=iOS' CODE_SIGNING_ALLOWED=NO