bemanproject · steve-downey · Dec 22, 2025 · Dec 22, 2025 · Dec 22, 2025 · Dec 22, 2025
@@ -0,0 +1,19 @@
+// .devcontainer/devcontainer.json                                   -*-json-*-
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/cpp
+
+{
+  "name": "Beman Project Generic Devcontainer",
+  "image": "ghcr.io/bemanproject/infra-containers-devcontainer-gcc:14",
+  "postCreateCommand": "pre-commit",
+  "customizations": {
+	"vscode": {
+	  "extensions": [
+		"ms-vscode.cpptools",
+		"ms-vscode.cmake-tools"
+	  ]
+	}
+  }
+}
@@ -8,6 +8,8 @@ on:
     # minute hour day month day-of-week
     # Run at 12:25 UTC every day
     - cron: '25 12 * * *'
+  permissions:
+    contents: read
 
 jobs:
   build:
@@ -111,6 +113,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build]
     if: failure() && github.event_name == 'schedule'
+    permissions:
+      contents: read
+      issues: write
     steps:
       # See https://github.com/cli/cli/issues/5075
       - uses: actions/checkout@v6

@@ -2,6 +2,9 @@
 
 name: Continuous Integration Tests
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -127,4 +130,7 @@ jobs:
   create-issue-when-fault:
     needs: [preset-test, build-and-test]
     if: failure() && github.event_name == 'schedule'
+    permissions:
+      contents: read
+      issues: write
     uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-create-issue-when-fault.yml@1.1.0
@@ -0,0 +1,105 @@
+---
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "33 19 * * 4"
+
+# Declare default permissions as read-only
+permissions: read-all
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      # Add any setup steps before running the `github/codeql-action/init` action.
+      # This includes steps like installing compilers or runtimes (`actions/setup-node`
+      # or others). This is typically only required for manual builds.
+      # Ensure the GitHub Actions hash is pinned if this setup step is uncommented.
+      # - name: Setup runtime (example)
+      #   uses: actions/setup-example@v1
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      # If the analyze step fails for one of the languages you are analyzing with
+      # "We were unable to automatically build your code", modify the matrix above
+      # to set the build mode to "manual" for that language. Then modify this step
+      # to build your code.
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+      - if: matrix.build-mode == 'manual'
+        shell: bash
+        run: |
+          echo 'If you are using a "manual" build mode for one or more of the' \
+            'languages you are analyzing, replace this with the commands to build' \
+            'your code, for example:'
+          echo '  make bootstrap'
+          echo '  make release'
+          exit 1
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
+        with:
+          category: "/language:${{matrix.language}}"
@@ -0,0 +1,56 @@
+name: Scorecard analysis workflow
+on:
+  push:
+    # Only the default branch is supported.
+    branches:
+    - main
+  schedule:
+    # Weekly on Saturdays.
+    - cron:  '30 1 * * 6'
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed for Code scanning upload
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Scorecard team runs a weekly scan of public GitHub repos,
+          # see https://github.com/ossf/scorecard#public-data.
+          # Setting `publish_results: true` helps us scale by leveraging your workflow to
+          # extract the results instead of relying on our own infrastructure to run scans.
+          # And it's free for you!
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable
+      # uploads of run results in SARIF format to the repository Actions tab.
+      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
+        with:
+          sarif_file: results.sarif
@@ -1,12 +1,15 @@
 name: Lint Check (pre-commit)
 
 on:
+  workflow_dispatch:
   # We have to use pull_request_target here as pull_request does not grant
   # enough permission for reviewdog
   pull_request_target:
   push:
     branches:
       - main
+  permissions:
+    contents: read
 
 jobs:
   pre-commit:

@@ -9,6 +9,9 @@ on:
 
 jobs:
   auto-update-pre-commit:
+    permissions:
+      contents: write
+      pull-requests: write
     uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-update-pre-commit.yml@1.1.0
     secrets:
       APP_ID: ${{ secrets.AUTO_PR_BOT_APP_ID }}

@@ -2,7 +2,7 @@ name: pre-commit
 
 on:
   workflow_dispatch:
-  pull_request_target:
+  pull_request:
   push:
 
 jobs:
@@ -11,6 +11,9 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'push' }}
 
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -56,18 +59,16 @@ jobs:
         # we only lint on the changed file in PR.
       - name: Get Changed Files
         id: changed-files
-        uses: tj-actions/changed-files@v47
+        uses: step-security/changed-files@v46
 
-        # See:
-        # https://github.com/tj-actions/changed-files?tab=readme-ov-file#using-local-git-directory-
       - uses: pre-commit/action@v3.0.1
         id: run-pre-commit
         with:
           extra_args: --files ${{ steps.changed-files.outputs.all_changed_files }}
 
         # Review dog posts the suggested change from pre-commit to the pr.
       - name: suggester / pre-commit
-        uses: reviewdog/action-suggester@v1
+        uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff #v1.24.0
         if: ${{ failure() && steps.run-pre-commit.conclusion == 'failure' }}
         with:
           tool_name: pre-commit

@@ -32,3 +32,5 @@ compile_commands.json
 /docs/html
 /docs/latex
 /docs/adoc/
+/build/
+/installtest/.build/
@@ -3,7 +3,7 @@
 
 cmake_minimum_required(VERSION 3.27)
 
-project(beman.optional VERSION 0.0.0 LANGUAGES CXX)
+project(beman.optional VERSION 1.0.0 LANGUAGES CXX)
 
 # Includes
 include(CTest)