From ea284ce7eb13966bc980b24a62e1078d993b8cbb Mon Sep 17 00:00:00 2001
From: Paul Schmiedmayer <PSchmiedmayer@users.noreply.github.com>
Date: Fri, 17 May 2024 14:37:36 -0700
Subject: [PATCH] CodeQL Improvements, Add Environments, And Improve
 Multiplatform Builds (#69)

# CodeQL Improvements, Add Environments, And Improve Multiplatform
Builds

## :gear: Release Notes
- CodeQL Improvements
- Add Environments
- Improve Multiplatform Builds


### Code of Conduct & Contributing Guidelines

By submitting creating this pull request, you agree to follow our [Code
of
Conduct](https://github.com/StanfordBDHG/.github/blob/main/CODE_OF_CONDUCT.md)
and [Contributing
Guidelines](https://github.com/StanfordBDHG/.github/blob/main/CONTRIBUTING.md):
- [x] I agree to follow the [Code of
Conduct](https://github.com/StanfordBDHG/.github/blob/main/CODE_OF_CONDUCT.md)
and [Contributing
Guidelines](https://github.com/StanfordBDHG/.github/blob/main/CONTRIBUTING.md).
---
 .github/workflows/docker-build-and-push.yml  | 27 +++++++++++++++++---
 .github/workflows/xcodebuild-or-fastlane.yml |  4 +--
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml
index 203f3b9..49f392a 100644
--- a/.github/workflows/docker-build-and-push.yml
+++ b/.github/workflows/docker-build-and-push.yml
@@ -33,6 +33,11 @@ on:
         required: false
         type: string
         default: '.'
+      environment:
+        description: 'GitHub deployment environment to optionally adjust access to variables and secrets with additional protection rules: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment'
+        required: false
+        type: string
+        default: ''
     secrets:
       username:
         description: 'Username for authenticating to the Docker registry. Uses the GitHub actor by default.'
@@ -57,7 +62,12 @@ jobs:
         platform:
           - linux/amd64
           - linux/arm64
+    environment: ${{ inputs.environment }}
     steps:
+      - name: Check environment
+        run: |
+          echo "env.selfhosted: ${{ env.selfhosted }}"
+          echo "environment: ${{ inputs.environment }}"
       - uses: actions/checkout@v4
       - name: Docker meta
         id: meta
@@ -104,10 +114,16 @@ jobs:
           mkdir -p /tmp/digests
           digest="${{ steps.build.outputs.digest }}"
           touch "/tmp/digests/${digest#sha256:}"
+      - name: Set transformed platform name
+        id: set-platform-name
+        run: |
+          transformed_platform=${{ matrix.platform }}
+          transformed_platform=${transformed_platform//\//-}
+          echo "transformed_platform=$transformed_platform" >> $GITHUB_ENV
       - name: Upload digest
         uses: actions/upload-artifact@v4
         with:
-          name: digests
+          name: digests-${{ env.transformed_platform }}-${{ github.run_id }}
           path: /tmp/digests/*
           if-no-files-found: error
           retention-days: 1
@@ -119,8 +135,13 @@ jobs:
       - name: Download digests
         uses: actions/download-artifact@v4
         with:
-          name: digests
-          path: /tmp/digests
+          name: digests-linux-amd64-${{ github.run_id }}
+          path: /tmp/digests/
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          name: digests-linux-arm64-${{ github.run_id }}
+          path: /tmp/digests/
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Docker meta
diff --git a/.github/workflows/xcodebuild-or-fastlane.yml b/.github/workflows/xcodebuild-or-fastlane.yml
index 351cb19..ad4bfe2 100644
--- a/.github/workflows/xcodebuild-or-fastlane.yml
+++ b/.github/workflows/xcodebuild-or-fastlane.yml
@@ -245,7 +245,7 @@ jobs:
         echo -n "${{ secrets.GOOGLE_SERVICE_INFO_PLIST_BASE64 }}" | base64 --decode -o "${{ inputs.googleserviceinfoplistpath }}"
     - name: Initialize CodeQL
       if: ${{ !env.selfhosted && inputs.codeql }}
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: swift
         db-location: '${{ inputs.path }}/.codeql'
@@ -408,7 +408,7 @@ jobs:
         GOOGLE_APPLICATION_CREDENTIALS_BASE64: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_BASE64 }}
     - name: Perform CodeQL Analysis
       if: ${{ !env.selfhosted && inputs.codeql }}
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
     - name: Upload artifact
       if: ${{ (success() || failure()) && inputs.artifactname != '' && inputs.buildConfig != 'Release' }}
       uses: actions/upload-artifact@v4