There is no API access into the .github/workflows/* directory, and teams do not want to go and create a codeql-analysis.yml files manually across hundreds of repositories.
The purpose of this tool is to help create a codeql-analysis.yml file across multiple repositories in an automated way.
There are two main actions this tool does:
-
Goes and collects all the repositories a user has admin access over and stores them in the
repos.jsonfile. -
Loops over the repos found within the
repos.jsonfile and creates a pull request on that repository with thecodeql-analysis.ymlfound in the root of this repository. For peace of mind, all pull requests created are stored within theprs.txtfile, where you can see the URL's of the pull requests created.
- Node v12 or higher installed.
- Git installed on the user's machine running this tool.
- Someone who has at least admin access over the repositories they want to enable Code Scanning on.
- Some basic software development skills, e.g., can navigate their way around a terminal or command prompt.
- Clone this repository onto your local machine.
git clone https://github.com/NickLiffen/ghas-enablement.git- Change the directory to the repository you have just installed.
cd ghas-enablement-
Generate a Personal Access Token (PAT) and assign the
reposcope. -
Rename the
.env-sampleto.env. On a Mac, this can be done via the following terminal command:
mv .env-sample .env-
Update the
GITHUB_TOKENvalue found within the.env. Remove theXXXXand replace that with the PAT created in Step 1. -
Update the
GITHUB_ORGvalue found within the.env. Remove theXXXXand replace that with the name of the GitHub Organisation you would like to use as part of this script. -
Check the
codeql-analysis.ymlfile. This is a sample file; please configure this file to suit your application needs. -
Run
npm run build, which will create the JavaScript bundle from TypeScript.
There are two simple steps to run:
The first step is collecting the repositories you would like to run this script on. You have two options. Option 1, which is automated and finds all the repositories you have admin access to. Or, Option 2, which is a manual entry of the repositories you would like to run this script on. See more information below.
OPTION 1 (Preferred)
npm run getReposSuppose you don't want to manually go through and copy/paste the repo names into repos.json. In that case, you may execute this command that returns you with a list of repos the current user is associated with and has admin access to. Post successful execution of this command, repos.json is created/updated at the root level holding the desired list. This can be viewed/edited, and you may proceed with the following command to perform updates. You are welcome to modify this file. Just make sure it's a valid JSON file if you do edit.
OR
OPTION 2
Create a file called repos.json within the root of this directory. This file needs to have an array of objects. The structure of the objects should look like this:
[{
"repo": "repo-name-one",
"enableDependabot": false
},
{
"repo": "repo-name-two",
"enableDependabot": true
}]As you can see, the object takes two keys, repo and enableDependabot. Set repo to the name of the repository name where you would like the codeql-analysis.yml file to be enabled on. Set enableDependabot to true if you would also like to enable Dependabot on that repo; set it to false if you do not want to enable Dependabot.
NOTE: The account that generated the PAT needs to have write access or higher over any repository that you include within the repos key.
Run the script which enables Code Scanning (and/or Dependabot) on your repository by running:
npm run startThis will run a script, and you should see output text appearing on your screen.
After the script has run, please head to your ~/Desktop directory and delete the tempGitLocations directory that has been automatically created.
Create an issue within the repository and make it to @nickliffen. Key things to mention within your issue:
- Windows or Mac
- What version of NodeJS you are running.
- Print any logs that appear on the terminal or command prompt
Great! Open an issue, describe what feature you want to create and make sure to @nickliffen.